Mallory is a comfortable python based man in the middle tool. Using a patched version (mallory.diff) version with PyOpenSSL sockets adds SNI support.

Importing the ca certificate (mallory/src/ca/ca.cer) into a mobile device, allows to see all ssl encrypted traffic of the mobile device. (Import: either upload ca.cer to a webserver or send it as an email attachment; clicking on ca.cer installs the ca certificate.)

Installation on a raspberry pi with raspbian and configured access point:

apt-get install mercurial
apt-get install python2.7-dev python-setuptools
apt-get install python-pyasn1 python-netfilter libnetfilter-conntrack-dev
easy_install pynetfilter_conntrack
# ??? apt-get install libnetfilter-conntrack3-dbg

hg clone http://bitbucket.org/IntrepidusGroup/mallory
ln -s /usr/lib/arm-linux-gnueabihf/libnetfilter_conntrack.so /usr/lib/libnetfilter_conntrack.so.1

apt-get install python-pip python-m2crypto python-qt4 pyro-gui
apt-get install libffi-dev
pip install pyopenssl
apt-get install python-twisted-web python-qt4-sql libqt4-sql-sqlite sqlite3
pip install netlib
apt-get install python-imaging
apt-get install python-paramiko

Apply patch (which uses some code of this fork, especially the global config class commit, restoring of iptables when closing mallory gui. additionally it transfers code of mitmproxy into mallory to get SNI support)

Instructions to get started with mallory can be found here and here. – Acquiring of dhcp leases on client side currently only works when mallory gui is closed.

The rules and the streams tab in mallory gui might be unreliable. But mallory writes all packets into a sqlite3 database, which can be browsed on the advanced tab (db view, create sql, then execute).  – You could use sqlitebrowser as gui to view the data (apt-get install sqlitebrowser).

ipt.sh mallory2.diff mallory2cap.py.diffOn the bottom of this article you find a script which converts the mallory sqlite db into a pcap file which can be read by wireshark. (here with some error handling added: patch)

This patch adds a plugin to mallory to download the ca certificate at http://ip_of_mallory_host:8080. (Furthermore this patch fixes some issues in http.py)

The script ipt.sh allows to start and stop port redirection for mallory. This script and mallory (cd mallory/src; python mallory.py) have to be run as root. The mallory gui (cd mallory/src; python launch_gui.py) runs as normal user, if port redirection is done by ipt.sh.

One Comment

  1. sskaje says:

    Hi, sskaje here.

    I saw someone posted an issue on bitbucket about your patch, which brought me to this page (https://bitbucket.org/sskaje/mallory/issue/1/add-sni-support).

    Do you have patched code hosted on bitbucket, so that I can try to merge your SNI support.

    sskaje

Leave a Reply